e2767c98ca604617757441c03063deeb4e0e1bccc9da386d6274efb98d6bc69a

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-10-2024 01:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

084248a7ea4ad9048e7b97cb4cc51452_JaffaCakes118.exe
Size

924KB
MD5

084248a7ea4ad9048e7b97cb4cc51452
SHA1

987108ddece8dc53651b9372caa6fe0c01b29399
SHA256

e2767c98ca604617757441c03063deeb4e0e1bccc9da386d6274efb98d6bc69a
SHA512

7bad32252556a299c546a7466763a19e1dbfc39bbe690ba3d01ea17014b794117f8ecaa262c8d439cd386630d88f0b89112e344a6e74f8828cb7b5cd6ef5deed
SSDEEP

24576:34H0b1KAEc20Mm6yiQQNN3iR1n7HNhf1aq246LlVtf6lJZY8tj:+0J7E4+AQH817HNhJ4VZ6JG8tj

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 11 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svehost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svehost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svehost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svehost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svehost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svehost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svehost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	084248a7ea4ad9048e7b97cb4cc51452_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svehost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svehost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svehost.exe

Checks BIOS information in registry 2 TTPs 22 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	084248a7ea4ad9048e7b97cb4cc51452_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	084248a7ea4ad9048e7b97cb4cc51452_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svehost.exe

Executes dropped EXE 10 IoCs

pid	Process
2712	svehost.exe
2408	svehost.exe
1976	svehost.exe
1080	svehost.exe
1524	svehost.exe
2656	svehost.exe
2980	svehost.exe
920	svehost.exe
1044	svehost.exe
2384	svehost.exe

Loads dropped DLL 64 IoCs

pid	Process
2496	084248a7ea4ad9048e7b97cb4cc51452_JaffaCakes118.exe
2496	084248a7ea4ad9048e7b97cb4cc51452_JaffaCakes118.exe
2496	084248a7ea4ad9048e7b97cb4cc51452_JaffaCakes118.exe
2496	084248a7ea4ad9048e7b97cb4cc51452_JaffaCakes118.exe
2496	084248a7ea4ad9048e7b97cb4cc51452_JaffaCakes118.exe
2496	084248a7ea4ad9048e7b97cb4cc51452_JaffaCakes118.exe
2712	svehost.exe
2712	svehost.exe
2712	svehost.exe
2712	svehost.exe
2712	svehost.exe
2712	svehost.exe
2408	svehost.exe
2408	svehost.exe
2408	svehost.exe
2408	svehost.exe
2408	svehost.exe
2408	svehost.exe
1976	svehost.exe
1976	svehost.exe
1976	svehost.exe
1976	svehost.exe
1976	svehost.exe
1976	svehost.exe
1080	svehost.exe
1080	svehost.exe
1080	svehost.exe
1080	svehost.exe
1080	svehost.exe
1080	svehost.exe
1524	svehost.exe
1524	svehost.exe
1524	svehost.exe
1524	svehost.exe
1524	svehost.exe
1524	svehost.exe
2656	svehost.exe
2656	svehost.exe
2656	svehost.exe
2656	svehost.exe
2656	svehost.exe
2656	svehost.exe
2980	svehost.exe
2980	svehost.exe
2980	svehost.exe
2980	svehost.exe
2980	svehost.exe
2980	svehost.exe
920	svehost.exe
920	svehost.exe
920	svehost.exe
920	svehost.exe
920	svehost.exe
920	svehost.exe
1044	svehost.exe
1044	svehost.exe
1044	svehost.exe
1044	svehost.exe
1044	svehost.exe
1044	svehost.exe
2384	svehost.exe
2384	svehost.exe
2384	svehost.exe
2384	svehost.exe

Drops file in System32 directory 44 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\packet.dll	svehost.exe
File created	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svehost.exe
File created	C:\Windows\SysWOW64\packet.dll	svehost.exe
File opened for modification	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svehost.exe
File created	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svehost.exe
File created	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	084248a7ea4ad9048e7b97cb4cc51452_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svehost.exe
File created	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svehost.exe
File opened for modification	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\packet.dll	svehost.exe
File opened for modification	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File opened for modification	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svehost.exe
File created	C:\Windows\SysWOW64\packet.dll	svehost.exe
File opened for modification	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\packet.dll	svehost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svehost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svehost.exe
File opened for modification	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File opened for modification	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\packet.dll	084248a7ea4ad9048e7b97cb4cc51452_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\svehost.exe	084248a7ea4ad9048e7b97cb4cc51452_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\svehost.exe	084248a7ea4ad9048e7b97cb4cc51452_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\packet.dll	svehost.exe
File created	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svehost.exe
File opened for modification	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File opened for modification	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\packet.dll	svehost.exe
File created	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\packet.dll	svehost.exe
File created	C:\Windows\SysWOW64\packet.dll	svehost.exe
File created	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\packet.dll	svehost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svehost.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svehost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svehost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svehost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svehost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	084248a7ea4ad9048e7b97cb4cc51452_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svehost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svehost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svehost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svehost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svehost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svehost.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\eaycQMVpeUf = "aMrYWq`xIaUTDw[VH\\J]AMfIeRFZ"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\vTiyhPwzjPMze = "N_CSJMw_th]RZFL"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\vTiyhPwzjPMze = "N_CxJMw_teu~]~\\"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\eaycQMVpeUf = "aMrYW~`xIaUTDx[VH\\J]@kfIeRFZ"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\eaycQMVpeUf = "aMrYW}`xIaUTD{[VH\\J]@IfIeRFZ"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\XKSosi = "wn~QCHDWi\\tegWXS\\sycaziRVw}\|G_"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\xaqlN = "@~qi\\xZO\\\|K{Wjv^P{\\ybPby[^kqVx"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\CgloQkypq = "N{ZbxZt[o}CiQg^\x7f}vDNe_rKnyqVREM"	svehost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}	084248a7ea4ad9048e7b97cb4cc51452_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\CgloQkypq = "N{ZbxZt[o}CiQg^\x7f}vDNe_rKnyqVREM"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\vTiyhPwzjPMze = "N_C}JMw_tgHa_KL"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\XKSosi = "wn~QCHDWi\\tegWXS\\sycaziRVw}\|G_"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\CgloQkypq = "N{ZbxZt[o}CiQg^\x7f}vDNe_rKnyqVREM"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\vTiyhPwzjPMze = "N_CGJMw_tblxRqX"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\iwzxCsdb = "gJlHnqQzx\x7f_IErGRx[re^"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\CgloQkypq = "N{ZbxZt[o}CiQg^\x7f}vDNe_rKnyqVREM"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\vTiyhPwzjPMze = "N_CUJMw_thL\x7fhYP"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\eaycQMVpeUf = "aMrYWp`xIaUTDv[VH\\J]A\|fIeRFZ"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\vTiyhPwzjPMze = "N_CDJMw_t`mkVAt"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\vTiyhPwzjPMze = "N_C\|JMw_tlHHGHx"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\ = "Component Categories Manager"	084248a7ea4ad9048e7b97cb4cc51452_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\xaqlN = "@~qi\\xZO\\\|K{Wjv^P{\\ybPby[^kqVx"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\eaycQMVpeUf = "aMrYWv`xIaUTDp[VH\\J]ABfIeRFZ"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\vTiyhPwzjPMze = "N_CTJMw_tcLVpZd"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\vTiyhPwzjPMze = "N_CMJMw_tdysILX"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\iwzxCsdb = "gJlHnqQzx\x7f_IErGRx[re^"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\CgloQkypq = "N{ZbxZt[o}CiQg^\x7f}vDNe_rKnyqVREM"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\eaycQMVpeUf = "aMrYW\|`xIaUTDz[VH\\J]@IfIeRFZ"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\eaycQMVpeUf = "aMrYW\x7f`xIaUTDy[VH\\J]@kfIeRFZ"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\eaycQMVpeUf = "aMrYW\|`xIaUTDz[VH\\J]@xfIeRFZ"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\vTiyhPwzjPMze = "N_CRJMw_tc]{BEx"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\vTiyhPwzjPMze = "N_C~JMw_tjI[wOP"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\eaycQMVpeUf = "aMrYWw`xIaUTDq[VH\\J]ARfIeRFZ"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\CgloQkypq = "N{ZbxZt[o}CiQg^\x7f}vDNe_rKnyqVREM"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\vTiyhPwzjPMze = "N_CCJMw_tnmV^o`"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\CgloQkypq = "N{ZbxZt[o}CiQg^\x7f}vDNe_rKnyqVREM"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\InprocServer32\ = "OLE32.DLL"	084248a7ea4ad9048e7b97cb4cc51452_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\InprocServer32\ThreadingModel = "Both"	084248a7ea4ad9048e7b97cb4cc51452_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\vTiyhPwzjPMze = "N_CWJMw_tev`[R\\"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\vTiyhPwzjPMze = "N_CVJMw_teME@]L"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\eaycQMVpeUf = "aMrYWs`xIaUTDu[VH\\J]AofIeRFZ"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\eaycQMVpeUf = "aMrYWw`xIaUTDq[VH\\J]ABfIeRFZ"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\eaycQMVpeUf = "aMrYWw`xIaUTDq[VH\\J]ABfIeRFZ"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\XKSosi = "wn~QCHDWi\\tegWXS\\sycaziRVw}\|G_"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\vTiyhPwzjPMze = "N_CzJMw_tctmmyt"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\vTiyhPwzjPMze = "N_CsJMw_tm\\DHht"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\xaqlN = "@~qi\\xZO\\\|K{Wjv^P{\\ybPby[^kqVx"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\xaqlN = "@~qi\\xZO\\\|K{Wjv^P{\\ybPby[^kqVx"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\xaqlN = "@~qi\\xZO\\\|K{Wjv^P{\\ybPby[^kqVx"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\iwzxCsdb = "gJlHnqQzx\x7f_IErGRx[re^"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\xaqlN = "@~qi\\xZO\\\|K{Wjv^P{\\ybPby[^kqVx"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\eaycQMVpeUf = "aMrYWs`xIaUTDu[VH\\J]A\|fIeRFZ"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\xaqlN = "@~qi\\xZO\\\|K{Wjv^P{\\ybPby[^kqVx"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\vTiyhPwzjPMze = "N_C{JMw_tic_Q{\|"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\iwzxCsdb = "gJlHnqQzx\x7f_IErGRx[re^"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\vTiyhPwzjPMze = "N_CPJMw_tiNsijT"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\vTiyhPwzjPMze = "N_CHJMw_tfDlKyH"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\eaycQMVpeUf = "aMrYW}`xIaUTD{[VH\\J]@IfIeRFZ"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\vTiyhPwzjPMze = "N_CrJMw_thSIBud"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\eaycQMVpeUf = "aMrYWt`xIaUTDr[VH\\J]ARfIeRFZ"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\vTiyhPwzjPMze = "N_CXJMw_tmBM`@L"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\iwzxCsdb = "gJlHnqQzx\x7f_IErGRx[re^"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\iwzxCsdb = "gJlHnqQzx\x7f_IErGRx[re^"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\eaycQMVpeUf = "aMrYWq`xIaUTDw[VH\\J]ABfIeRFZ"	svehost.exe

NTFS ADS 11 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\TEMP:1D956695	svehost.exe
File opened for modification	C:\ProgramData\TEMP:1D956695	svehost.exe
File opened for modification	C:\ProgramData\TEMP:1D956695	svehost.exe
File opened for modification	C:\ProgramData\TEMP:1D956695	svehost.exe
File opened for modification	C:\ProgramData\TEMP:1D956695	svehost.exe
File opened for modification	C:\ProgramData\TEMP:1D956695	svehost.exe
File created	C:\ProgramData\TEMP:1D956695	svehost.exe
File opened for modification	C:\ProgramData\TEMP:1D956695	svehost.exe
File opened for modification	C:\ProgramData\TEMP:1D956695	svehost.exe
File opened for modification	C:\ProgramData\TEMP:1D956695	svehost.exe
File opened for modification	C:\ProgramData\TEMP:1D956695	svehost.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: 33	2496	084248a7ea4ad9048e7b97cb4cc51452_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2496	084248a7ea4ad9048e7b97cb4cc51452_JaffaCakes118.exe
Token: 33	2712	svehost.exe
Token: SeIncBasePriorityPrivilege	2712	svehost.exe
Token: 33	2408	svehost.exe
Token: SeIncBasePriorityPrivilege	2408	svehost.exe
Token: 33	1976	svehost.exe
Token: SeIncBasePriorityPrivilege	1976	svehost.exe
Token: 33	1080	svehost.exe
Token: SeIncBasePriorityPrivilege	1080	svehost.exe
Token: 33	1524	svehost.exe
Token: SeIncBasePriorityPrivilege	1524	svehost.exe
Token: 33	2656	svehost.exe
Token: SeIncBasePriorityPrivilege	2656	svehost.exe
Token: 33	2980	svehost.exe
Token: SeIncBasePriorityPrivilege	2980	svehost.exe
Token: 33	920	svehost.exe
Token: SeIncBasePriorityPrivilege	920	svehost.exe
Token: 33	1044	svehost.exe
Token: SeIncBasePriorityPrivilege	1044	svehost.exe
Token: 33	2384	svehost.exe
Token: SeIncBasePriorityPrivilege	2384	svehost.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 2712	2496	084248a7ea4ad9048e7b97cb4cc51452_JaffaCakes118.exe	31
PID 2496 wrote to memory of 2712	2496	084248a7ea4ad9048e7b97cb4cc51452_JaffaCakes118.exe	31
PID 2496 wrote to memory of 2712	2496	084248a7ea4ad9048e7b97cb4cc51452_JaffaCakes118.exe	31
PID 2496 wrote to memory of 2712	2496	084248a7ea4ad9048e7b97cb4cc51452_JaffaCakes118.exe	31
PID 2712 wrote to memory of 2408	2712	svehost.exe	32
PID 2712 wrote to memory of 2408	2712	svehost.exe	32
PID 2712 wrote to memory of 2408	2712	svehost.exe	32
PID 2712 wrote to memory of 2408	2712	svehost.exe	32
PID 2408 wrote to memory of 1976	2408	svehost.exe	33
PID 2408 wrote to memory of 1976	2408	svehost.exe	33
PID 2408 wrote to memory of 1976	2408	svehost.exe	33
PID 2408 wrote to memory of 1976	2408	svehost.exe	33
PID 1976 wrote to memory of 1080	1976	svehost.exe	34
PID 1976 wrote to memory of 1080	1976	svehost.exe	34
PID 1976 wrote to memory of 1080	1976	svehost.exe	34
PID 1976 wrote to memory of 1080	1976	svehost.exe	34
PID 1080 wrote to memory of 1524	1080	svehost.exe	35
PID 1080 wrote to memory of 1524	1080	svehost.exe	35
PID 1080 wrote to memory of 1524	1080	svehost.exe	35
PID 1080 wrote to memory of 1524	1080	svehost.exe	35
PID 1524 wrote to memory of 2656	1524	svehost.exe	37
PID 1524 wrote to memory of 2656	1524	svehost.exe	37
PID 1524 wrote to memory of 2656	1524	svehost.exe	37
PID 1524 wrote to memory of 2656	1524	svehost.exe	37
PID 2656 wrote to memory of 2980	2656	svehost.exe	38
PID 2656 wrote to memory of 2980	2656	svehost.exe	38
PID 2656 wrote to memory of 2980	2656	svehost.exe	38
PID 2656 wrote to memory of 2980	2656	svehost.exe	38
PID 2980 wrote to memory of 920	2980	svehost.exe	39
PID 2980 wrote to memory of 920	2980	svehost.exe	39
PID 2980 wrote to memory of 920	2980	svehost.exe	39
PID 2980 wrote to memory of 920	2980	svehost.exe	39
PID 920 wrote to memory of 1044	920	svehost.exe	40
PID 920 wrote to memory of 1044	920	svehost.exe	40
PID 920 wrote to memory of 1044	920	svehost.exe	40
PID 920 wrote to memory of 1044	920	svehost.exe	40
PID 1044 wrote to memory of 2384	1044	svehost.exe	41
PID 1044 wrote to memory of 2384	1044	svehost.exe	41
PID 1044 wrote to memory of 2384	1044	svehost.exe	41
PID 1044 wrote to memory of 2384	1044	svehost.exe	41

C:\Users\Admin\AppData\Local\Temp\084248a7ea4ad9048e7b97cb4cc51452_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\084248a7ea4ad9048e7b97cb4cc51452_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Windows\SysWOW64\svehost.exe
  C:\Windows\system32\svehost.exe 728 "C:\Users\Admin\AppData\Local\Temp\084248a7ea4ad9048e7b97cb4cc51452_JaffaCakes118.exe"
  2⤵
  - Drops file in Drivers directory
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\SysWOW64\svehost.exe
    C:\Windows\system32\svehost.exe 752 "C:\Windows\SysWOW64\svehost.exe"
    3⤵
    - Drops file in Drivers directory
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - NTFS ADS
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2408
  - - C:\Windows\SysWOW64\svehost.exe
      C:\Windows\system32\svehost.exe 748 "C:\Windows\SysWOW64\svehost.exe"
      4⤵
      Drops file in Drivers directory
      Checks BIOS information in registry
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      NTFS ADS
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1976
    - - C:\Windows\SysWOW64\svehost.exe
        
        C:\Windows\system32\svehost.exe 760 "C:\Windows\SysWOW64\svehost.exe"
        5⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1080
      - C:\Windows\SysWOW64\svehost.exe
        
        C:\Windows\system32\svehost.exe 764 "C:\Windows\SysWOW64\svehost.exe"
        6⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\SysWOW64\svehost.exe
        
        C:\Windows\system32\svehost.exe 772 "C:\Windows\SysWOW64\svehost.exe"
        7⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\SysWOW64\svehost.exe
        
        C:\Windows\system32\svehost.exe 776 "C:\Windows\SysWOW64\svehost.exe"
        8⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\svehost.exe
        
        C:\Windows\system32\svehost.exe 768 "C:\Windows\SysWOW64\svehost.exe"
        9⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:920
        
        C:\Windows\SysWOW64\svehost.exe
        
        C:\Windows\system32\svehost.exe 780 "C:\Windows\SysWOW64\svehost.exe"
        10⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Windows\SysWOW64\svehost.exe
        
        C:\Windows\system32\svehost.exe 788 "C:\Windows\SysWOW64\svehost.exe"
        11⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\TEMP:1D956695

Filesize
115B

MD5
0557a41aa0714efac4e0ba22ee8ee424

SHA1
300de45e977737d3622eb78ed60e32acba29cbd3

SHA256
25a108830d25e38e419fcc16d668653182fc406b8725efcdbe49a2c8a65cb376

SHA512
6f2ead104242ad09edb591053428d8802abae8ab4352be07673f734f6594b2900c52b74e0c3cd8ee606426bc8c510e0dc65561d5130a9e514d40696e1c4a0cf8

Download Submit
C:\ProgramData\TEMP:1D956695

Filesize
115B

MD5
4ee43e021464ae7852a450bafc1025a4

SHA1
32273aa404e4e1227fa4d8977c80d0e9a91a7fe9

SHA256
e5c101eab33ea8cadccd07a223cd4cdf2f95c5405536aa8a2708dcd02e024026

SHA512
638cae2421d863ffc0fe97aa3dc3bc9caa1a97431819a85b1125c0102c45b6bc818856ff3a68a7e17ea91039d60a11827f6ac135d189887e2d85f6ea189f9692

Download Submit
C:\ProgramData\TEMP:1D956695

Filesize
115B

MD5
23d3331a255e3f129be30d417f80f236

SHA1
51dfda55a84e21d0fff651d43d47715c7bed4128

SHA256
0b363e4dc870ae05d276bba1d2f89f80dbe7482c638a88cd842e0d87f786541e

SHA512
7204785504d189a8c89545328710fb88b2e01aa677bcff80ad1e873f13a165b428c84cb74ef3f577c9d96055bcae80705fef9d8e0c40f9238a9097593e67ecae

Download Submit
C:\ProgramData\TEMP:1D956695

Filesize
115B

MD5
b474e90e3317ebeaafe49771cc0ccdbb

SHA1
06540cff91fcab5959f05bfa78469a451c00f590

SHA256
424ad4fa389a88787f286e6b81f96623ae5da40c81cf7e6a74971e6109982461

SHA512
a83196cac7d884511e1de498272afd43abf2f4d2afa147f55d468233b8d70c37c18928bfa298ec37a5526e8805ae6323d1f01bd3834a10af45b6b6c01a2e558b

Download Submit
C:\ProgramData\TEMP:1D956695

Filesize
115B

MD5
6c45537359a62d655eb812ed3f3ada1e

SHA1
70e3d3707393ee8a1b2f08234d4ffe030a2ee7f1

SHA256
61b60799bdac4b1c5d28a31672a4f56d9be39199ab336200999ea047f3ecbc1c

SHA512
35be7b27513e8c27209c8bbfe15ea669e94f1e8a2c0d3f29355482d2129c637277874946cc13c6b4309dab830f6266a0dfc514b4a8066404683e190de6b67edc

Download Submit
C:\ProgramData\TEMP:1D956695

Filesize
115B

MD5
92b73520c5256a7c1f63abef49328626

SHA1
ed70b6923ec73f892c598da47772b984e58debe5

SHA256
c396d835ebd5272991802d10795c8a56d8b20dd6b38474f4dc8a1d62df7d57bc

SHA512
7f2c847c69c376faa15d284303cdb392aa4cee2125ee6476643acc2e3d610adf89bbda55fff19aee054f3d386d2653c92b03522c88fec05cfcaa8116d1436f7a

Download Submit
C:\ProgramData\TEMP:1D956695

Filesize
115B

MD5
879875ec0284c866e28d53fbe876723b

SHA1
90fd54eb6cb7ed495124a983bdf9dac5a84d0b7f

SHA256
786130c1a8b82db8075ecab27bd04aa024c53664b54694b23acc3f421b30ef48

SHA512
805ee492e141f7eb161a3bb0649877a97638273ec1f93dbf21653650c1bfdf6aaa1bbab6f9db80d821502efa02d217f4c87620f01453002fbb9e6d94d64936a8

Download Submit
C:\ProgramData\TEMP:1D956695

Filesize
115B

MD5
c6fde6e87537d8b6d53ea38cd09f8bb2

SHA1
fa0820c5021d62fbcfa9d47b37db639239c349b9

SHA256
ac0df00cf76d1e26556427cf2ecc4373202ff04b6bf8af3bf726d91eee564d68

SHA512
a7067ea971d7eb39ab12e2e5dd8a9245738af3f7c3c15284f1ed99dfa371ba144c63feda4ed89c1934ea973cd9a16c7f1f3bd829282ea3c2f8a1647dbe85dcf3

Download Submit
C:\ProgramData\TEMP:1D956695

Filesize
115B

MD5
94b348d5c208789da048aa4bb98cba1d

SHA1
a0594d6a1a46bf279053e4bdf9f0b2f05f6acbb9

SHA256
fdc3359610356451f16066e21377ecd12ac19d5cebfe8986a0c51a9e59fbe19d

SHA512
f8ec9e069cfd96905862135c90fa4af6481c26d27270443f2cbbc4e1752087bcc9239fed20cddd04904137bcfaab0105e0fde2b015e589244eb3d5f50d16353e

Download Submit
C:\ProgramData\TEMP:1D956695

Filesize
115B

MD5
82182cf48dbc0908dedf73ad1871d956

SHA1
da60ae2d8d2204c7ed0b2f48fe45a0dd78f4d80f

SHA256
c71bdafac1883c88a2ee20b324010d60c495d78ca964e73e27c184ec389c7918

SHA512
aba2c79a50bcc68f9f7f60436123e82afd531c284fae806857c32d63ec52a80aa1db0741c5b0bc60238cf964105a950bb9331c058fc0c11f77d401ee6837a264

Download Submit
\Windows\SysWOW64\drivers\npf.sys

Filesize
41KB

MD5
243126da7ba441d7c7c3262dcf435a9c

SHA1
42616f7034c0f12e3e4a2166ebe082eb3f08223a

SHA256
80d36efd5b3abb82c421149d423e5019c21f203f085ae2655429a44bb5a9f5c0

SHA512
f5539774d89e8f025da97e7b49d143b7224fcf899db967a34445de70f9228ea5e2d5daffe6444492ce82a3dfb2734786e09140277c208ec1e64580ad74883e68

Download Submit
\Windows\SysWOW64\packet.dll

Filesize
86KB

MD5
3eb0beb8e318646104362537570fc6bc

SHA1
3cb48ea9073fcca5835adad307e14ebf0cfe7279

SHA256
ab3f8c80b85aae70f89c8e7919d7dd147c2bc3ec68769e0bdb05fcc4083e3643

SHA512
db5fd16749641de6282d36af7b1921f908850ece3429ffe5ad33d990431bf4990f0314d28af082394af1f4d66516d9d89806a38e2801c34b4dd1ccb69bfafe47

Download Submit
\Windows\SysWOW64\svehost.exe

Filesize
924KB

MD5
084248a7ea4ad9048e7b97cb4cc51452

SHA1
987108ddece8dc53651b9372caa6fe0c01b29399

SHA256
e2767c98ca604617757441c03063deeb4e0e1bccc9da386d6274efb98d6bc69a

SHA512
7bad32252556a299c546a7466763a19e1dbfc39bbe690ba3d01ea17014b794117f8ecaa262c8d439cd386630d88f0b89112e344a6e74f8828cb7b5cd6ef5deed

Download Submit
\Windows\SysWOW64\wpcap.dll

Filesize
234KB

MD5
cb0afba4f0fb6ca2b2ea0d2c3e86b588

SHA1
2459367892e012314b451e05de1f1162448a05fa

SHA256
1b0fe60175c88f7cd3f3765b2f0f3eb1530b2e5e5b51f89a83e0322de32bdcf7

SHA512
a4e2d66af68dee67be5883c4770c1339b6be4847a993619389404af6a7ec9763361d9a14c632ca6704f63d84b05483f4bea2ec035b466fdaf03ce68c5cbca128

Download Submit
memory/920-331-0x0000000002200000-0x0000000002209000-memory.dmp

Filesize
36KB

Download
memory/920-332-0x0000000002200000-0x0000000002209000-memory.dmp

Filesize
36KB

Download
memory/920-355-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/920-330-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/920-322-0x0000000002200000-0x0000000002209000-memory.dmp

Filesize
36KB

Download
memory/920-305-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1044-359-0x0000000002120000-0x0000000002129000-memory.dmp

Filesize
36KB

Download
memory/1044-350-0x0000000002120000-0x0000000002129000-memory.dmp

Filesize
36KB

Download
memory/1044-358-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1044-360-0x0000000002120000-0x0000000002129000-memory.dmp

Filesize
36KB

Download
memory/1044-384-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1080-185-0x0000000002340000-0x0000000002349000-memory.dmp

Filesize
36KB

Download
memory/1080-184-0x0000000002340000-0x0000000002349000-memory.dmp

Filesize
36KB

Download
memory/1080-229-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1080-195-0x0000000002340000-0x0000000002349000-memory.dmp

Filesize
36KB

Download
memory/1080-196-0x0000000002340000-0x0000000002349000-memory.dmp

Filesize
36KB

Download
memory/1080-194-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1524-233-0x0000000002060000-0x0000000002069000-memory.dmp

Filesize
36KB

Download
memory/1524-222-0x0000000002060000-0x0000000002069000-memory.dmp

Filesize
36KB

Download
memory/1524-223-0x0000000002060000-0x0000000002069000-memory.dmp

Filesize
36KB

Download
memory/1524-235-0x0000000002060000-0x0000000002069000-memory.dmp

Filesize
36KB

Download
memory/1524-266-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1524-232-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1976-125-0x0000000001FA0000-0x0000000002035000-memory.dmp

Filesize
596KB

Download
memory/1976-138-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1976-136-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1976-157-0x0000000002080000-0x0000000002089000-memory.dmp

Filesize
36KB

Download
memory/1976-158-0x0000000002080000-0x0000000002089000-memory.dmp

Filesize
36KB

Download
memory/1976-156-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1976-139-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1976-191-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1976-146-0x0000000002080000-0x0000000002089000-memory.dmp

Filesize
36KB

Download
memory/1976-137-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1976-133-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1976-134-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2384-388-0x00000000006C0000-0x00000000006C9000-memory.dmp

Filesize
36KB

Download
memory/2384-387-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2384-378-0x00000000006C0000-0x00000000006C9000-memory.dmp

Filesize
36KB

Download
memory/2384-379-0x00000000006C0000-0x00000000006C9000-memory.dmp

Filesize
36KB

Download
memory/2408-119-0x00000000020E0000-0x00000000020E9000-memory.dmp

Filesize
36KB

Download
memory/2408-152-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2408-113-0x00000000020E0000-0x00000000020E9000-memory.dmp

Filesize
36KB

Download
memory/2408-110-0x00000000003E0000-0x00000000003F5000-memory.dmp

Filesize
84KB

Download
memory/2408-114-0x0000000001F00000-0x0000000001F95000-memory.dmp

Filesize
596KB

Download
memory/2408-116-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2408-117-0x0000000001F00000-0x0000000001F95000-memory.dmp

Filesize
596KB

Download
memory/2408-84-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2408-118-0x00000000020E0000-0x00000000020E9000-memory.dmp

Filesize
36KB

Download
memory/2408-123-0x0000000003520000-0x00000000036F2000-memory.dmp

Filesize
1.8MB

Download
memory/2408-100-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2408-101-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2408-103-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2408-104-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2408-106-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2408-107-0x0000000001F00000-0x0000000001F95000-memory.dmp

Filesize
596KB

Download
memory/2408-105-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2408-85-0x0000000001F00000-0x0000000001F95000-memory.dmp

Filesize
596KB

Download
memory/2408-153-0x0000000001F00000-0x0000000001F95000-memory.dmp

Filesize
596KB

Download
memory/2408-90-0x0000000001F00000-0x0000000001F95000-memory.dmp

Filesize
596KB

Download
memory/2496-72-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2496-65-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2496-6-0x0000000001F30000-0x0000000001FC5000-memory.dmp

Filesize
596KB

Download
memory/2496-0-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2496-7-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2496-11-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2496-8-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2496-14-0x0000000001F30000-0x0000000001FC5000-memory.dmp

Filesize
596KB

Download
memory/2496-13-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2496-12-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2496-69-0x0000000001F30000-0x0000000001FC5000-memory.dmp

Filesize
596KB

Download
memory/2496-71-0x0000000001F30000-0x0000000001FC5000-memory.dmp

Filesize
596KB

Download
memory/2496-21-0x0000000002160000-0x0000000002175000-memory.dmp

Filesize
84KB

Download
memory/2496-10-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2496-1-0x0000000001F30000-0x0000000001FC5000-memory.dmp

Filesize
596KB

Download
memory/2496-27-0x00000000006F0000-0x00000000006F9000-memory.dmp

Filesize
36KB

Download
memory/2496-28-0x00000000006F0000-0x00000000006F9000-memory.dmp

Filesize
36KB

Download
memory/2496-38-0x0000000003250000-0x0000000003422000-memory.dmp

Filesize
1.8MB

Download
memory/2656-298-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2656-271-0x00000000003F0000-0x00000000003F9000-memory.dmp

Filesize
36KB

Download
memory/2656-244-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2656-267-0x00000000003F0000-0x00000000003F9000-memory.dmp

Filesize
36KB

Download
memory/2656-272-0x00000000003F0000-0x00000000003F9000-memory.dmp

Filesize
36KB

Download
memory/2656-270-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2712-55-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2712-76-0x0000000000340000-0x00000000003D5000-memory.dmp

Filesize
596KB

Download
memory/2712-54-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2712-67-0x0000000000600000-0x0000000000609000-memory.dmp

Filesize
36KB

Download
memory/2712-52-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2712-66-0x0000000000600000-0x0000000000609000-memory.dmp

Filesize
36KB

Download
memory/2712-97-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2712-93-0x0000000000340000-0x00000000003D5000-memory.dmp

Filesize
596KB

Download
memory/2712-82-0x00000000034D0000-0x00000000036A2000-memory.dmp

Filesize
1.8MB

Download
memory/2712-48-0x0000000000340000-0x00000000003D5000-memory.dmp

Filesize
596KB

Download
memory/2712-40-0x0000000000340000-0x00000000003D5000-memory.dmp

Filesize
596KB

Download
memory/2712-78-0x0000000000600000-0x0000000000609000-memory.dmp

Filesize
36KB

Download
memory/2712-61-0x0000000000620000-0x0000000000635000-memory.dmp

Filesize
84KB

Download
memory/2712-53-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2712-98-0x0000000000340000-0x00000000003D5000-memory.dmp

Filesize
596KB

Download
memory/2712-50-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2712-49-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2712-73-0x0000000000340000-0x00000000003D5000-memory.dmp

Filesize
596KB

Download
memory/2712-75-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2712-56-0x0000000000340000-0x00000000003D5000-memory.dmp

Filesize
596KB

Download
memory/2712-77-0x0000000000600000-0x0000000000609000-memory.dmp

Filesize
36KB

Download
memory/2980-327-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2980-303-0x0000000002020000-0x0000000002029000-memory.dmp

Filesize
36KB

Download
memory/2980-302-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2980-299-0x0000000002020000-0x0000000002029000-memory.dmp

Filesize
36KB

Download